From 4db61fb406afb8447fb8dfe4808ccb426b824064 Mon Sep 17 00:00:00 2001
From: Adrian Holovaty <adrian@holovaty.com>
Date: Wed, 29 Nov 2006 03:14:03 +0000
Subject: [PATCH] Fixed #3078 -- newforms: Added HTML escaping to label_tag()
 calls. Thanks, SmileyChris

git-svn-id: http://code.djangoproject.com/svn/django/trunk@4133 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/newforms/forms.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/django/newforms/forms.py b/django/newforms/forms.py
index 1750a09489..b8911dd013 100644
--- a/django/newforms/forms.py
+++ b/django/newforms/forms.py
@@ -82,7 +82,7 @@ class Form(object):
             bf = BoundField(self, field, name)
             if bf.errors:
                 output.append(u'<tr><td colspan="2">%s</td></tr>' % bf.errors)
-            output.append(u'<tr><td>%s</td><td>%s</td></tr>' % (bf.label_tag(bf.verbose_name+':'), bf))
+            output.append(u'<tr><td>%s</td><td>%s</td></tr>' % (bf.label_tag(escape(bf.verbose_name+':')), bf))
         return u'\n'.join(output)
 
     def as_ul(self):
@@ -96,7 +96,7 @@ class Form(object):
             line = u'<li>'
             if bf.errors:
                 line += str(bf.errors)
-            line += u'%s %s</li>' % (bf.label_tag(bf.verbose_name+':'), bf)
+            line += u'%s %s</li>' % (bf.label_tag(escape(bf.verbose_name+':')), bf)
             output.append(line)
         return u'\n'.join(output)